Software Security Models for Service-Oriented Programming (SOP) Platforms

Software Security Models for Service-Oriented Programming (SOP) Platforms Soutenance de Thèse de doctorat de: Pierre Parrend Equipe INRIA-Amazones, Laboratoire Citi INSA-Lyon Directeurs de Thèse: Stéphane Ubéda (Pr.) Stéphane Frénot (McF) Jury Rapporteurs: Didier Donsez (Pr. Uni. Grenoble I) Ralf Reusser (Pr. Uni. Karlsruhe) Examinateurs: Ciaran Bryce (MER Uni Genève) Pierre-Etienne Moreau (CR INRIA) 1

Context The Evolution of software Monolithic Applications Challenges Management Integration Security Component-based Applications Service-oriented Programming g (SOP) Applications Environnements d exécution pour passerelles domestiques, Yvan Royon, PhD Thesis, December 2007. Spontaneous Integration of Services in Pervasive Environments, Noha Ibrahim, PhD Thesis, September 2008. 2

Context Motivating example: Dynamic SOP applications WebCamDriver Component 2. 1. 3. Component Repository WebCam WebCam PDA MyContactList Component WebCamDriver Component PDA Java SOP Platform Java SOP Platform (installed on the PDA) (installed on the PDA) What happens if the WebCamDriver Component is a Malware? 3

Context Service-oriented programming (SOP) platforms EJB 3.0, OSGi, Spring, Google Guice Publish Component Repository Discover and deploy Interactions At the service level Issuer SOP Platform Host Interactions At the class level 4

Context Attack vectors against SOP platforms Example: The Java/OSGi platform Remote Access Exploit Application Vulnerabilities Component Repository User Interface Issuer OSGi Platform Host Exploit OS Vulnerabilities Exploit Component Deployment Exploit SOP Platform Vulnerabilities This work 5

Context Contributions 1.sign 2.publish 3.a load Malicious Component Component Repository Protection Domain 3.b check SF-Jarsigner Digital Signature Research Contributions Implementation Enhancement Specification Implementation Hardened OSGi WCA CBAC Host 6

Outline Security for Java-based Software Systems Contributions Conclusions 7

Security for Java-based Software Systems Building secure software systems: The software development life-cycle Software security assurance Goertzel, et al. Software Security Assurance: a State-of-The-Art Report (SOAR), 2007. Monolithic view Systems are built from several mandatory and optional parts 8

Security for Java-based Software Systems Identification of suitable protection mechanisms Benefits/cost trade-off Cost estimation Minimal when flaws are repared early Grows dramatically latter in the life-cycle Components Reparation only possible if the code is available Detection otherwise Capers Jones, Applied software measurement: assuring productivity and quality, 1999. 9

Security for Java-based Software Systems Java application security: The principles Type safety Objects only perform actions defined through their type Automated memory management Through garbage collection Bytecode validation Executed code is not trusted Isolation of components through class loaders Limitations Prevent naming conflicts between components Security use case: execution of one malicious applets in the JVM Class loaders enforce namespace isolation only 10

Security for Java-based Software Systems The Java Security Manager Code by Alice Code by Bob JVM Protection Domain Policy File Java policy file keystore "file:/home/pierre/keystore.ks"; grant signedby "alice" { permission java.io.filepermission "/opt/secret/ secretkeys", "read"; permission org.osgi.framework.package Permission "*", "export"; permission org.osgi.framework.service osgi Permission *"register"; }; grant signedby "bob" { permission org.osgi.framework.service Permission "fr.inria.ares.testservice.myservice", "register"; permission org.osgi.framework.package Permission "*", "export"; }; OSGi: Conditonal Permissions 11

Security for Java-based Software Systems Critics of Java permissions High performance overhead 20 to 30 % runtime overhead Cause the withdrawal of security in commercial applications Hard-coded definition of sensitive methods New permissions for new code only Permission hell Must be extracted for each configuration Tedious manual process Runtime verification Abort or execute dangerous calls In mobile apps for instance, authorization depends on the user 12

Outline Security for Java-based Software Systems Contributions Building a secure Platform: The SPIP Method Enforcing security for components: CBAC, WCA Conclusions 13

Building a secure Platform: The SPIP Method The Spiral Process for Intrusion Prevention The problem Identification of security issues in complex systems For each subsystem Comparison of various implementations Evaluation of protection mechanisms Security assessment Comparison 14

Building a secure Platform: The SPIP Method The SPIP Method 15

Building a secure Platform: The SPIP Method Quantification of the security of a system: the Protection Rate Security level of complex systems Not a binary metric: never free of vulnerabilities Percentage of the known vulnerabilities that are protected Against a reference system (here: an OSGi implementation with all known vulnerabilities) Based on the Attack Surface metric (Measuring Relative Attack Surfaces, Howard, 2005.) Enables to Assess individual id security mechanisms Compare execution environments Security Benchmarks of OSGi Platforms: Toward Hardened OSGi, Software, Practice and Experience, 2008. 16

Building a secure Platform: The SPIP Method Implementation for the OSGi platform Iteration 1: The Java/OSGi platform Iteration 2.. 4: Propositions Hardened OSGi Component-based Access Control - CBAC Weak Component Analysis - WCA Iteration 5: Integration with the JnJVM, a secure JVM implementation for OSGi applications 17

Building a secure Platform: The SPIP Method Results: The vulnerability catalogs Malicious Bundles Service Binding Vulnerability Category # Local Access Control Management - Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform, INRIA Research Report, 2007. SOP Component Platform JVM Service Layer Module Layer Life-Cycle Layer API Language Invalid Workflow 1 No control on service registration 2 Invalid Metadata 3 Fragments 3 Invalid Archive Invalid Activator Bundle Management Proper removal Native Code execution File Handling Reflection ClassLoader No algorithm safety Runtime stopping 2 Runtime methods Software Software Security Security Models Models for for SOP SOP Platforms Thread management Platforms 4 Implementation (not considered) Optimization errors 18-3 2 2 1 1 1 3 3 7 18

Building a secure Platform: The SPIP Method Results: The vulnerability catalogs Vulnerable Bundles Vulnerability Category # Objects (Services) Flaws in parameter validation Exposed Internal Representation Synchronization 10 6 2 Component Classes Exposed Internal Representation ti Avoidable Calls to the Security Manager 4 9 Stand- Alone Serialization 1 More Vulnerabilities in the Java/OSGi Platform: a Focus on Bundle Interactions, INRIA Research Report, 2008. 19

Building a secure Platform: The SPIP Method Results: Protection Rate for mainstream OSGi platforms Platform Type # of protected Vulns # of identified Vulns Concierge 0 28 0% Felix 1 32 3,1 % Knopflerfish 1 31 3,2 % Equinox 4 31 13 % Java Permissions 13 32 41 % Concierge with Permissions 10 28 36 % Felix with Permissions 14 32 44 % Knopflerfish with Permissions 14 31 44 % Equinox with Permissions 17 31 55 % Protection Rate 20

Building a secure Platform: The SPIP Method Results: Hardened OSGi Protection Rate: 25 % for the Malicious Bundles catalog entries Security Benchmarks of OSGi Platforms: Toward Hardened OSGi, Software, Practice and Experience, 2008. Introduce Systematize Check component size before download, and control the cumulated size of loaded components Check digital signature at install time Launch the component activator in a separate Thread Limit the number of registered services Do not reject harmless unnecessary metadata Remove all component data from disk at uninstallation Hardened OSGi Host 21

Outline Security for Java-based Software Systems Contributions Building a secure Platform: The SPIP Method Enforcing security for components: CBAC, WCA Conclusions 22

The problem Enforcing Security for Components: CBAC, WCA Security issues with components Maliciousness Vulnerability Installing secure components Bytecode analysis only 23

Enforcing Security for Components: CBAC, WCA Definition of tools in the SPIP method 24

Enforcing Security for Components: CBAC, WCA The CBAC model: Principles Component-based p Access Control Goal Prevent issues from the Malicious Bundles catalog Principles Install time analysis of the execution rights of components Sensitive calls must be explicitly granted Take composition into account Intends to be an alternative to Java permissions i Hypotheses The component platform is not modified Each component contains a valid digital signature Component-based Access Control: Secure Software Composition through Static Analysis, Software Composition, 2008. OSGi Platform CBAC Host 25

Enforcing Security for Components: CBAC, WCA The CBAC model: Definition 26

Enforcing Security for Components: CBAC, WCA The CBAC model: Performances 2500 2000 CBAC Check Only Signature Check 1500 Time (ms s) 1000 500 0 6,33 7,62 10,32 12,23 13,72 17,71 34,06 52,2 86,37 356,76 5,51 6,49 7,92 11,74 13,42 14,28 24,92 38,72 76,94 131,48 Size (KBytes) 27

Enforcing Security for Components: CBAC, WCA The CBAC model: Benefits and limitations Benefits No runtime overhead, reduced install time overhead No application interruption, at the cost of false positive No misleading pop-up windows Arbitrary methods and meta-data can be set as sensitive Enables to protect against vulnerabilities that are discovered after design Protection Rate: 50 % for the Malicious Bundles catalog entries Limitations Policies must be defined in advanced 28

Enforcing Security for Components: CBAC, WCA The WCA approach: Principles Weak Component p Analysisy Goal Prevent issues from the Vulnerable Bundles catalog Principles Vulnerability identification through static analysis In exposed code only Through the code meta-model Matching with vulnerability patterns Development and install time use XML version for flexibility Hardcoded version for performance Enhancing Automated Detection of Vulnerabilities in Java Components, International Conference on Availability, Reliability and Security (AReS 2009). OSGi Platform WCA Host 29

Enforcing Security for Components: CBAC, WCA The WCA approach: Performances 1200 1000 800 ) Time (ms) 600 400 Hardcoded Reject check Hardcoded Report check XML Report check 200 0 6,49 4,28 11,91 18,73 43,31 155,3 406,34 8,12 16,79 23,97 99,65 259,45 713,6 Bundle size (KBytes) 30

Enforcing Security for Components: CBAC, WCA The WCA approach: Benefits and limitations Benefits Identification of exploitable vulnerabilities in Java components According to the exposition of the code Principally easy to extend Development and runtime use Protection Rate: 36 % for the Vulnerable Bundles catalog entries Limitations of the implementation Hardcoded d d version is slower Only structural patterns are supported so far Limited flexibility of the definition of patterns 31

Outline Security for Java-based Software Systems Contributions Conclusions 32

Conclusions Development overview 1.sign 2.publish 3.a load Malicious i Component Component Repository Protection Domain SF-Jarsigner Research Contributions Implementation Enhancement Specification Implementation 3.b check Digital Signature Hardened OSGi WCA CBAC Host Tool Lines of Code Digital Signature 330 SF-JarSigner 557 Malicious Components 155 bundles Hardened OSGi 224 CBAC 577 WCA 2026 33

Conclusions Evaluation of the proposed solutions SPIP Promising methodology for security analysis Requires Validation on further systems Support for cost estimation Tools for secure component-based applications CBAC WCA Refined static analysis approach Only a subset of best practices are enforced so far Need of actual isolation between the bundles Consider further attack vectors 34

Conclusions Who can benefit from this work? Role Platform developer Application architect Application developer Focus on Execution environment Architecture Components System entity Platform Components Components Life-Cycle Platform Application Application Activity design and coding design Coding Our propositions Security analysis for the Platform Security analysis for all Hardened OSGi CBAC WCA Integration Security analysis for the Components 35

Conclusions Open challenges Resource isolation First solution: Integration with the JnJVM Development for industrial use of the OSGi platform Specifications Life-cycle support for bundles Management Critical applications: strong isolation between applications Multi-user applications: strong access control mechanism 36

Questions? 1.sign 2.publish 3.a load Malicious Component Component Repository Protection Domain 3.b check SF-Jarsigner Digital Signature Research Contributions Implementation Enhancement Specification Implementation Hardened OSGi WCA CBAC Host 37

References Karen M. Goertzel, Thoedore Winograd, Holly L. McKinley, Lyndon Oh, Michael Colon, Thomas Mcibbon, Elaine Fedchak, and Robert Vienneau. Software Security Assurance: a State-of-The-Art Report (SOAR). Information Assurance Technology Analysis Center (IATAC) and Data and Analysis Center for Software (DACS), July 2007. Michael Howard, Jon Pincus, and Jeanette M. Wing. Computer Security in the 21st Century, chapter Measuring Relative Attack Surfaces, pages 109 137. Springer, March 2005. Capers Jones. Applied software measurement: assuring productivity and quality. McGraw-Hill, Inc., New York, NY, USA, 1999. Yvan Royon, Environnements d exécution pour passerelles domestiques, PhD Thesis, INSA-Lyon, December 2007. Noha Ibrahim, Spontaneous Integration of Services in Pervasive Environments, PhD Thesis, INSA-Lyon, September 2008. 38

Selected Publications Journal Article Security Benchmarks of OSGi Platforms: Toward Hardened OSGi, Pierre Parrend, Stephane Frénot, Software, Practice and Experience. Accepted for publication (September 2008). International Conferences, Industrial Conferences Enhancing Automated Detection of Vulnerabilities in Java Components, Pierre Parrend, Forth International Conference on Availability, Reliability and Security (AReS 2009), Fukuoka, Japan, 16th 19th March 2009. Classification of Component Vulnerabilities in Java Service Oriented Programming (SOP) Platforms, Parrend, Stéphane Frenot, Conference on Component-based Software Engineering, Karlsruhe, Germany, 14-17 October 2008. Component-based Access Control: Secure Software Composition through Static Analysis, Pierre Parrend, Stéphane Frenot, Software Composition, Budapest, Hungary, 29-30 March 2008. Multi-service, Multi-protocol Management for Residential Gateways Home Network Management, Y. Royon, P. Parrend, S. Frénot, S. Papastefanos, H. Abdelnur, D. Van de Poel, S. Frenot, BB Europe, Antwerp, December 3-6, 2007. Research Reports More Vulnerabilities in the Java/OSGi Platform: a Focus on Bundle Interactions, Pierre Parrend, Stephane Frenot, INRIA Research Report n 6649, September 2008. Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform, Pierre Parrend, Stéphane Frenot, INRIA Research Report n 6231, June 2007. 39